Saturday, January 17, 2009

The Science and Art of Computer Forensics - Part 1

I am putting a disclaimer right at the beginning of this post: I am not an attorney and everything I say about the legal system is solely my opinion.  I am over-simplifying in several areas so I don't get too technical.  If you really want to know about file systems, or computer forensics, I can suggest several excellent and boring books that go into painful detail.  I read them so you don't have to!

Your first question could be, "Why did he say that art and science thing backwards?"

When it comes to computer forensics, the science must precede the art.  I'll get to the art part in a little bit.

In order for there to be such as thing as computer forensics, certain scientific things must be in place:

A very clear understanding and definition of the structure and operation of data storage methods and media.

Beginning at the point where a device, such as a hard drive, is designed and engineered to store data at an electro-mechanical level and on to the point where software is developed to manage that stored data, nothing is available to either recover or analyze.

Prior to any data being available for recovery and analysis, hardware and software must be designed, input devices created and some method for determining how and when data will be stored and managed must be made available.

Today we call that conglomeration a computer.  Lest we get stuck in the paradigm of computers being a computer tower with a screen, a keyboard and a mouse, the most widely used computing platform today is probably the cell phone.  Nothing at all like a desktop or laptop computer.

How does all this relate to the science of computer forensics?  Let's begin at the beginning:

The first job of computer forensics software is to recover data that has been lost or obscured in some way; deleting data, hiding data or obscuring data through steganography or encryption.

The second job of computer forensics software is to locate data by allowing it to be found though various means:  Displaying all types of file formats, searching for relevant key words, displaying files inside of files (compression archives like a .zip file), email containers and the like.

The third job of forensics software is to re-build certain types of data by locating and restructuring it so it can be analyzed; data such as web pages, internet history and  files that are only partially complete.

All of the above must be done, in a forensic sense, while preserving the integrity of the original data to insure that nothing is accidently changed by the software, rendering the evidentiary value of the data useless.

All of that is science.  Or to be more precise, it is hardware and software engineering.

With all of those tools at hand, a forensic examination of a computer or other device that stores data, begins by finding facts.  Facts in this case that should be considered to be absolutes.  Does file a exist?  If it does, that is a fact.

Does a letter written and stored on the computer hard drive from subject a to subject b exist? If it does, that would be considered a fact.

Now you may ask, if all of that science stuff can do all of that, where does the art come in?

If things were really that simple, there would be no art needed in computer forensics.  The reality is that simply establishing that a fact is present, does not put that fact into context.

And when you begin to cross over into the legal system, context is everything.

A little about the interaction of computer forensics and the legal system; Whenever the existence of a fact is in dispute, to the point where it must enter the legal system, it is because some party has been injured or believes that they have been injured by another party.

In the case of criminal law, the purpose is to identify beyond a reasonable doubt the identity of the injuring party to subject them to the penalties of the law they have violated in order to protect society as a whole from any further actions by the accused.

While we all want to believe that our system is there to provide justice for the victim, the real purpose is the protection of the public as a whole, not an individual.

In a civil case, the purpose is to prove by a preponderance of evidence, that the injuring party is in fact at fault and should be held responsible for their actions.

How does one go about proving their case?  Have you ever heard the expression, "There are always two sides to every story?

Let's walk through the process together.  First of all, I am making this very simple to illustrate my points about computer forensics.  The actual legal system is extraordinarily complex.  That is why we all need attorneys who are schooled and skilled in the practice of law.

In any case, the process is similar from the standpoint that there are two sides to a story.   The story of the  accused and the story of the accuser.

In a homicide case, the accuser is the state and the victim's story is told through the prosecutor, since the victim obviously cannot speak for themselves.

On the other side is the defense counsel who is the advocate for the accused and tells their side of the story.

Each side gathers all of the facts available in the case and develops a theory of what happened.  This theory is developed into a story that will be told to a jury to try and convince the jury that their story is the most accurate and therefore the jury should vote for their version of what happened.

In our system in the US, the prosecution always goes first because they bear the burden of proving that the accused is guilty beyond a reasonable doubt.  (Not beyond a shadow of a doubt, which is a common mangling of the phrase.)  Remember that in our system, the accused is innocent until proven guilty.  A little fact that seems to get lost by the bloggers and pundits out there that like to follow cases.

On a personal note, I find it disturbing that people will treat a criminal case like a sporting event, rooting for one side or the other, making horrendous remarks about people, (Yes, the accused is still a "people") and generally acting like jerks.  Sadly, that attitude and behavior is also present in our national news and talk shows.

As each side reviews the facts and evidence and formulates a theory that will become the skeleton upon which will hang their story, they rely on many different sources of information.  These sources of information are witness statements, timelines, crime scene evidence, statements by the accused, and forensic evidence.

Contrary to what you see on television, forensic evidence is not always as cut and dried as one would be led to believe.  That is why there are experts who work on both sides of a case.  The people who gather and analyze forensic evidence can and do make mistakes, both in the gathering, preservation, analysis and presentation of the analysis.  Even when the forensic evidence is properly processed and presented to an attorney, be it the prosecutor or the defense, there is still the possibility that the counselor will not adequately understand the information being given to them simply because the science is out of their area of expertise.  Attorneys are typically not experts in DNA or anthropology or gangs or computer forensics.

This is where the experts enter the arena in many cases.

To be continued....

No comments:

Post a Comment

I have moderated my comments due to spam.